Was IBM Right? Is Siri A Threat To Businesses? [Feature]

Apple has gotten a fair amount of flack over Siri – most of it relating to Siri not recognizing words or phrases, misinterpreting requests, or providing incomplete or inaccurate answers. Apple is even facing a class action lawsuit over Siri not working as promised by iPhone 4S ads.

For IBM, however, the concern isn’t that Siri won’t work as advertised. Big blue is worried that Siri will work exactly as advertised and that confidential and sensitive information will leak outside IBM’s network as a result. For those reasons, the company disables Siri on the iPhones of its employees.

IBM has a very active BYOD program in which thousands of its employees are encouraged to use their iPhones, iPads, Android handsets, and other devices. Around 80,000 of the company’s workers have signed onto the BYOD program and the program is intended to reach all 440,000 IBM staffers at some point.

As we reported in March, IBM is particularly strict about its BYOD program. The company blocks access to any cloud services (including iCloud and Dropbox) other than its internal MyMobileHub cloud. Users are also told that their devices will be completely wiped when they leave the company regardless of whether they’re fired, laid off, quit, or retire – an interesting point of irony given that IBM’s mobile management software is designed to allow selective wipe of business data on a device while leaving personal content untouched.

When it comes to Siri, IBM leverages the mobile device management (MDM) framework that Apple has built into iOS to disable Siri on every iPhone 4S. The move is consistent with blocking mobile devices from accessing non-IBM networks and cloud services.

If Siri is set to activate by raising the phone to your face, it can unintentionally activate, record a snippet of conversation, and try to interpret it.

IBM’s fear is centered around the fact that Siri is a cloud-based and crowd-sourced solution. The iPhone 4S sends voice data to Apple for speech recognition and interpretation (the new iPad does the same with its Siri-like dictation feature). Siri also requires access to personal information on an iPhone 4S like contacts and the relationships between an iPhone 4S user and his or her contacts. Siri also gets access to your location data. That’s a lot of information being sent to Apple’s servers – servers that IBM has no control over.

That means that it’s quite possible that an IBM employee using an iPhone 4S might speak sensitive information while using Siri – composing an email or message to coworkers, adding or rearranging meetings and events, setting reminders, and using location services to find specific businesses and get directions are all common tasks that could reference or contain sensitive information. If Siri is set to activate by raising the phone to your face, it can unintentionally activate, record a snippet of conversation, and try to interpret it.

A bigger concern is Siri-related dictation, which can be used in most apps that support text input. The chances of sensitive information being gleaned by asking Siri to move a meeting, send a text, or add a reminder are pretty small. Someone dictating text into a productivity app like Pages or Quickoffice or even into an internal line of business app is much more likely to mention some sensitive information.

Beyond data reaching Apple’s servers, the question is one of data retention. Apple’s terms do indicate that the company may retain some Siri queries as a crowd-sourcing mechanism but will anonymize them if it does.

It is possible that Siri or iOS dictation could lead to sensitive information being stored in an Apple data center.

That means that it is possible that Siri or iOS dictation could lead to sensitive information being stored in an Apple data center. And it isn’t beyond the realm of possibility that such information could be extracted. Is it likely that Apple or someone within Apple could search out that information, analyze it, and use it as actionable data – publish it, commit a crime, use it as insider information against IBM – probably not. The chain of events would be pretty dramatic and probably very difficult to pull off effectively – but that series of events is theoretically possible.

Perhaps the biggest privacy concern around Siri isn’t a technical one. It’s the behavior of the person using Siri. If you’re dictating an email, rearranging your schedule, or setting reminders using Siri, you’re speaking and can be overheard. If you listen to the interactions people have with Siri, there are subtle differences in speaking rhythm and phrasing than what’s typical of most conversations. Even if you don’t hear Siri’s signature beep or responses because someone’s using a headset, you can usually tell that that person is talking to Siri or a similar service. That opens up the possibility of someone on the train with you or behind you in a coffee shop or next to you in a company cafeteria will overhear details that you might not share in a real conversation.

Is IBM being overcautious when it comes to Siri? To some extent. That isn’t really a surprise given the lengths the company is going to in preventing data leaks in other areas of its BYOD requirements. Does every business need to disable Siri? Probably not, but ensuring that everyone understands the concerns around Siri and dictation is a good idea for any company. As with many mobile and cloud technologies, companies in regulated industries like healthcare and finance should follow IBM’s lead and be particularly cautious and even err on the side of caution unless a technology can be shown to comply with regional or national privacy regulations.